A system that uses discretionary access control (DAC) allows the holder of the resource to specify which subjects can access specific resources. This model is called discretionary as the control of access is based on the discretion of the owner.

The most common application of DAC is through ACLs, which are spoken and fixed by the owners and enforced by the operating system.

DAC permits the privileges i.e. granting and revoking of access control to be left to the discretion of the individual users

It is highly flexible

Not appropriate for –

-- High assurance systems, e.g. a military system

-- Many complex commercial security requirements

It is Identity-based

Mandatory Access Control –MAC

In a mandatory access control (MAC) model, users and data owners do not have asmuch liberty to determine who can access files. The operating system makes the final conclusion and can outweigh the users’ wishes.

This model is much more structured and strict and is based on a security label system. Users are provided a security clearance (secret, top secret, confidential, and undefined), and data is classified in the same way. The clearance and grouped data is stored in the security labels, which are bound to the specific subjects and objects.

A given IT infrastructure in software development company can implement MAC systems in many places and at different levels. OS uses MAC to guard files and directories.

Database management systems apply MAC to regulate access to tables and views. Best commercially available application systems apply MAC, often independent of the operating systems and/or DBMSs on which they are installed.

OS constrains the ability of a subject or initiator to access or perform some operation on the object. Subject is usually a process thread and objects are constructs like files, tcp/udp ports, shared memory segments etc.

Whenever Subject tries to access Object, an authorization rule enforced by the operating system kernel inspects the security attributes and chooses whether access can take place.

Information classification is necessary, label-based

Well suited to the requirements of government and industry organizations that process classified and sensitive information

Such environments usually require the ability to control actions of individuals beyond just an individual's capability to access information permitting to how that information is labeled based on its sensitivity

RBAC

In RBAC model, a role is well-defined in terms of the tasks and operations that the role will need to carry out, whereas a DAC sketches which subjects can access what objects.

RBAC uses a centrally administrated set of controls to determine how subjects and objects act together. This type of model allows access to resources to be based on the role the user holds within the company example Software Development Company.

A role can be thought of as a set of transactions that a user or set of users can perform within the context of an organization i.e. a collection of permissions.

A transaction can be thought of as a transformation procedure plus a set of associated data items

Roles are group oriented; created for job functions

Roles are plotted on the principle of least privilege

Role-based access control policy bases access control decisions on the functions a user is permitted to perform within an organization

RBAC provides a means of naming and describing many-to-many relationships between individuals and rights

A user has access to an object based on the assigned role.

Roles are defined based on job functions.

Permissions are defined based on job authority and responsibilities within a job function.

Operations on an object are invocated based on the permissions.

The object is concerned with the user’s role and not the user.

Conclusion:

Thus, the Custom Software Development Company should carry out structured ways for Access Control and assigning roles to the employees based on the privileges. This leads to secure access and intact security in the company or a firm which restrict the entities from using unauthorised information.

No comments:

Post a Comment

About Me

Working as an Intern in iFour Consultancy, a leading software company in Gujarat.
I work in iFour consultancy for the Information Security department. My job role is related to the learnings in Internal Audit and Latest trends in information Security.
Company website :
http://www.ifour-consultancy.com http://www.ifourtechnolab.com